Hi All!

Well.. I've run Spybot, Ad-Aware, etc.. a gazillion times (all up to date) , and I'm STILL getting hijacked bigtime.. changes my homepage to "about:blank" MSIE opens up to create numerous pop-ups 50.. 60.. etc.. until I kill the process or system freezes. This has me CRAZY as I can't get a thing done for the past 2 days.

below is a copy of my latest Hijack This logfile. ANY HELP would be GREATLY appreciated!

-------------------- Begin Logfile ------------------


Logfile of HijackThis v1.98.0
Scan saved at 12:33:52 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\ec27ser.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Search Engine Commando\ScheduleService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\Aladdin Systems\StuffIt Standard\stuffit.exe
C:\~qgm\temp\HijackThis_1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qgm.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Ad Rage] C:\Program Files\Ad Rage\adrage.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.e xe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: SnS DeskMate.LNK = C:\Program Files\DeskMates\SnS\SnS.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Help - {901814B0-0503-4AE8-B035-78A796209B11} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {993F3153-B25D-415A-95CC-D9361031A464} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {DDE96853-CCE3-4789-861B-E00992C6B09E} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: ConferenceRoom Java Client - http://216.152.65.174:8000/java/cr.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/189886f163cac5ca0d06/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs2b.instantservice.com/jars/customerxsigned35.cab
O16 - DPF: {B7BCF6D1-6EF6-11D2-97A1-0000C0EAE6E4} (Sausage Software Installer/Uninstaller) - http://autodownload.sausage.com/Installer.cab
O16 - DPF: {EC1AFAB0-2FEB-11D2-9777-0000C0EAE6E4} (Sausage Software Autodownloader) - http://autodownload.sausage.com/IEAutoDL.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

-------------------- End Logfile ------------------

again, any help anyone can give would be greatly appreciated. THANKS IN ADVANCE!

Gary

Hi Gary,

Concerning your constant popups, you might want to check out Google Toolbar. (http://toolbar.google.com/) From what I've seen, it will stop about 90% or so of those annoying popups.

A lot of people also like using Zone Alarm by ZoneLabs. (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp) There is a free version to download. Once you get it configured, you decide whether to let programs access the internet, etc.

Are you running Norton Anti-Virus? Which version? Is it all up-to-date?

Do you have the latest Updates from Micro$oft? (http://v4.windowsupdate.microsoft.com/en/default.asp)

I would try booting into Safe Mode. Run your Adaware and/or Spybot then. You might need to run those programs a couple of times to get rid of everything.

A lot of game sites have trojans and tons of popups. It is possible that you got it from one of them. Just a guess.

Let us know how it goes...Good Luck!

Also, check out NooNoo's nice thread, How to fix popups, spyware, malware and nuisance programs (http://forums.windrivers.com/showthread.php?t=57348)

It has a place that specifically addresses "hijack this" and how to interpret what it says.

Yes you have Wintools:
C:\WINDOWS\system32\winlogon.exe
good how to here (http://www.pchell.com/support/wintools.shtml)

Then go through the link on how to fix popups to catch anything else.

I had a spyware program on my pc that kept coming back after multiple eliminations with spybot and ad-aware. I finally found it by installing the zonealarm firewall software and let it monitor every program goin out to the internet. It came up with up "rundll32.exe is trying to access the internet" message, I told it not to allow it and then I got an error message from a program called mrcapsy or something deep in the windows registry. I eliminated that key and it never came back but what a pain. It didn't show up in hijackthis, I think because it didn't run continually in the background. All I know is I hope I never see anything like this again. :devil:

I had a spyware program on my pc that kept coming back after multiple eliminations with spybot and ad-aware. I finally found it by installing the zonealarm firewall software and let it monitor every program goin out to the internet. It came up with up "rundll32.exe is trying to access the internet" message, I told it not to allow it and then I got an error message from a program called mrcapsy or something deep in the windows registry. I eliminated that key and it never came back but what a pain. It didn't show up in hijackthis, I think because it didn't run continually in the background. All I know is I hope I never see anything like this again. :devil:

Try Mozilla Firefox. It's free.

I've gotten 5 people to try it for a week so far and all of them still use it. Did I mention it's free? It's also noticably faster than IE and it's free.

TRY CW shredder. it finds most webpage hijacks and removes where as spybot and adaware didn't